Access the room: https://tryhackme.com/room/detecting-c2-with-rita-aoc2025-m9n2b5v8c1
.png)
The TBFC is very wary since the last series of attacks by the underlings of King Malhare. They are on full alert for anything happening. But they are getting restless; it is too quiet. Sir Elfo of the TBFC takes the initiative and proposes to hunt for Command-and-Control traffic using the meticulously collected network traffic. A majority of the TBFC elves object, we don’t have the time to go through so much network traffic! Sir Elfo chuckles, don’t fret, for I have a powerful tool to assist us! I present to you RITA, Real Intelligence Threat Analytics. We just need to convert our PCAP file to Zeek logs, and RITA will do the rest! Anyone can do it, just follow today’s tasks.
Learning Objectives
- Convert a PCAP to Zeek logs
- Use RITA to analyze Zeek logs
- Analyze the output of RITA
Modern malware rarely announces itself loudly. Instead, it whispers periodic beacons, obscure DNS requests, long-lived connections, and subtle data exfiltration. Detecting these signals at scale is difficult, which is where RITA (Real Intelligence Threat Analytics) shines.
In this walkthrough, we analyze network traffic using Zeek and RITA to uncover command-and-control (C2) activity hidden within packet captures. This post follows a TryHackMe challenge scenario involving King Malhare and his network of malicious “malrabbits.”
What Is RITA?
RITA is an open-source threat analytics framework developed by Active Countermeasures. Its primary goal is to identify C2 communication patterns by analyzing network metadata rather than payloads.
Core Capabilities:
RITA excels at detecting:
- C2 beaconing behavior
- DNS tunneling
- Long-lived connections
- Data exfiltration attempts
- Suspicious TLS behavior
- Known malicious infrastructure via threat intel feeds
Rather than relying on signatures, RITA correlates multiple data points, timestamps, connection counts, DNS queries, byte volumes — to uncover behavioral anomalies.
Why Zeek Is Required
RITA does not analyze raw PCAPs directly. Instead, it consumes Zeek logs.
Zeek is an open-source Network Security Monitoring (NSM) platform that passively observes traffic and converts it into structured, enriched logs. Unlike IDS or IPS systems, Zeek does not block or alert by default — it provides high-fidelity visibility.
Out of the box, Zeek generates:
- Transaction data (e.g., HTTP, DNS, SSL logs)
- Extracted content (e.g., transferred files, certificates)
These logs form the foundation for RITA’s analysis.
Converting PCAPs into Zeek Logs
Initial Setup
Start the target machine as instructed to access the lab environment.
Directory Structure
Let's check out the directory structure in our VM.
ls
The pcaps directory contains real-world malware captures, while zeek_logs stores parsed Zeek output.
Parsing a PCAP
Let’s parse a PCAP using the following command, we are gonna perform parsing on AysncRAT.pcap
zeek readpcap pcaps/AsyncRAT.pcap zeek_logs/asyncrat
Zeek processes the PCAP and outputs structured logs to the specified directory.
Let's see those Generated Logs
cd zeek_logs/asyncrat && ls
Importing Zeek Logs into RITA
Now that we have all the required Zeek logs, we can import them into RITA for analysis. So, let’s import them into RITA using the following command:
rita import --logs ~/zeek_logs/asyncrat/ --database asyncrat
During import, RITA parses relevant Zeek logs, normalizes the data, applies analytical models, cross-references threat intelligence feeds.
Viewing RITA Results
Once analysis is complete, we launch RITA’s terminal UI:
rita view asyncrat
The interface is divided into three main sections:
- Search Bar
- Results Pane
- Details Pane
Understanding the Results Pane
Each row represents a suspicious connection and includes:
- Severity score
- Source and destination IP/FQDN
- Beacon likelihood
- Connection duration
- Subdomain count
- Threat intelligence hits
Immediately, two entries stand out:
- A long FQDN ending in
trycloudflare.com - An external IP address flagged by threat intelligence
Threat Modifiers
Threat modifiers explain why a connection is suspicious. Common modifiers include:
Prevalence: Indicates how many internal hosts communicate with an external destination. Low prevalence is often suspicious.
First Seen: New external hosts are riskier than long-established ones.
Rare Signature: Uncommon TLS certificates or handshake patterns often associated with malware.
MIME Type / URI Mismatch: Inconsistent content indicators can signal obfuscation.
Large Amount of Outgoing Data: Potential data exfiltration behavior.
Missing Host Header: Often caused by malware or poorly implemented C2 frameworks.
Challenge Walkthrough
Now, to complete the challenge, we need to parse the rita_challenge.pcap.
At first let’s parse the rita_challenge.pcap file:
zeek readpcap pcaps/rita_challenge.pcap zeek_logs/rita_challenge
Now let’s import those generated logs into RITA using the following command:
rita import --logs ~/zeek_logs/rita_challenge/ --database rita_challenge
Once analysis is complete, launch RITA’s terminal UI to examine the log analysis:
rita view rita_challenge
Lab Answers
How many hosts are communicating with malhare.net?
6.
Which Threat Modifier tells us the number of hosts communicating to a certain destination?
Prevalence.
What is the highest number of connections to rabbithole.malhare.net?
40.
Which search filter would you use to search for all entries that communicate to rabbithole.malhare.net with a beacon score greater than 70% and sorted by connection duration (descending)?
dst:rabbithole.malhare.net beacon:>=70 sort:duration-desc.
Which port did the host 10.0.0.13 use to connect to rabbithole.malhare.net?
80.
